1 hour ago
1
A former IBM cybersecurity executive is alleging that the tech giant was breached tens of thousands of times by a Chinese state-linked hacking group and then systematically covered it up to protect its federal contracts. The lawsuit, filed under seal in 2020 and recently unsealed in New York federal court, paints a picture of a company that allegedly chose revenue preservation over transparency with the US government.
William Barlow, who served as vice president of threat intelligence at IBM, claims the company experienced more than 56,000 cybersecurity intrusions attributed to APT10, a well-known Chinese hacking group, between 2013 and 2016. At least two IBM subsidiaries were also allegedly breached during this period.
What the lawsuit actually alleges
Barlow filed his complaint under the False Claims Act, a federal law that allows whistleblowers to sue on behalf of the government when they believe a company has defrauded it. The core accusation: IBM failed to disclose these breaches to US regulators or its government clients, even after the Five Eyes intelligence alliance, the signals intelligence partnership between the US, UK, Canada, Australia, and New Zealand, warned IBM about security concerns in March 2017.
The lawsuit goes further than simple negligence. Barlow alleges that IBM corporate executives actively pressured staff to minimize the severity of incidents in internal reports.
The suit was unsealed in early June 2026 after the US Department of Justice declined to intervene. The DOJ choosing not to join a False Claims Act case doesn’t mean the allegations lack merit. It often simply means the government doesn’t want to commit its own resources to litigating the matter. The case proceeds regardless, with Barlow pursuing it independently.
IBM has denied any wrongdoing. The company has emphasized that the allegations relate to events from more than six years ago and that it acted in compliance with applicable laws. The case remains pending in New York federal court.
APT10 and the bigger picture
APT10 is not some obscure threat actor. The group, also known as Stone Panda or MenuPass, has been linked to China’s Ministry of State Security and has targeted managed service providers, healthcare companies, and government contractors across multiple countries. The US Department of Justice indicted two members of APT10 in December 2018 for a massive hacking campaign that compromised data from companies across at least a dozen countries.
Companies handling sensitive government data are subject to strict disclosure requirements. Failing to report breaches doesn’t just create security risks. It potentially constitutes fraud against the government, which is exactly what the False Claims Act is designed to address. The government pays for secure systems. If those systems aren’t secure and the vendor knows it, every invoice becomes a potential false claim.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) · 